Reconsider "Decentralized OpenID-based Login" as a use-case

[Sakurann]

I am pretty against advocating to use VCs to authenticate, it leads to claim based authentication which is a well-known security vulnerability. there are much more secure passwordless options available. and using sub in a Self-Issued ID Token or a self-signed VC to re-authenticate the user identifier using a VC is a different use-case. We cannot stop people to use claims in the VCs to authenticate, but we should not explicitly advocate for it.

[bifurcation]

I'm pretty sure I disagree with you here. The pattern we're talking about here -- issuing a public key credential and presenting it elsewhere -- is used everywhere with X.509. It's what makes HTTPS work. I can understand how there would be vulnerabilities with this pattern with bearer tokens, but sender-constrained tokens are different.

That said, I totally get that this is much more speculative than the E2E identity use case. I mainly added it because I wanted a second use case so it wasn't all about E2EI. Do you have any thoughts on another use case we could add?